b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  While Effective Actions Have Been Taken to\n                  Address Previously Reported Weaknesses in\n                  the Protection of Federal Tax Information at\n                    State Government Agencies, Additional\n                           Improvements Are Needed\n\n\n\n                                         November 10, 2009\n\n                                Reference Number: 2010-20-003\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review\n process and information determined to be restricted from public release has been redacted from\n                                          this document.\n\n Redaction Legend:\n 3(a) = Identifying Information - Name of an Individual or Individuals\n\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             November 10, 2009\n\n\n MEMORANDUM FOR COMMISSIONER, SMALL BUSINESS/SELF-EMPLOYED\n                DIVISION\n\n FROM:                        Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 While Effective Actions Have Been Taken to\n                              Address Previously Reported Weaknesses in the Protection of Federal\n                              Tax Information at State Government Agencies, Additional\n                              Improvements Are Needed (Audit # 200920015)\n\n This report presents the results of our followup review of a prior audit report 1 to determine\n whether the Internal Revenue Service (IRS) Safeguards Program has implemented sufficient\n policies and procedures to ensure that State Government agencies are adequately protecting\n Federal tax information received from the IRS. This review was included in the Treasury\n Inspector General for Tax Administration Fiscal Year 2009 Annual Audit Plan and is part of our\n statutory requirements to annually review the adequacy and security of IRS information\n technology.\n\n Impact on the Taxpayer\n The IRS Safeguards Program is tasked with ensuring that State Government agencies receiving\n Federal tax information maintain adequate safeguards to protect the data from unauthorized\n disclosure. The IRS has taken effective actions to address two previously reported weaknesses\n on guidance and contract oversight in the Safeguards Program. However, improvements on the\n monitoring of State agencies\xe2\x80\x99 corrective actions and the timely reporting from reviews of State\n agencies are needed to ensure that Federal tax information provided to State agencies is\n adequately protected. These conditions increase the risk that taxpayer data are not being\n\n\n\n 1\n  Insufficient Attention Has Been Given to Ensure States Protect Taxpayer Information (Reference\n Number 2007-20-134, dated August 31, 2007).\n\x0c                         While Effective Actions Have Been Taken to Address\n                         Previously Reported Weaknesses in the Protection of\n                        Federal Tax Information at State Government Agencies,\n                                 Additional Improvements Are Needed\n\n\nadequately secured and might be inappropriately accessed or used, possibly for fraudulent\npurposes such as identity theft.\n\nSynopsis\nIn August 2007, we reported significant weaknesses in the management of the IRS Safeguards\nProgram. Specifically, we found that 1) test plans used to conduct safeguard reviews 2 were not\nconsistent with Federal guidance, 2) corrective actions stemming from safeguard reviews were\nnot monitored in a Plan of Actions and Milestones (POA&M), 3 3) results of safeguard reviews\nwere not provided to State Government agencies in a timely manner, and 4) contractor\nperformance and billing were not adequately managed and verified.\nIn this review, we found that the IRS had corrected two of these four conditions. The IRS\nrevised Publication 1075 4 and the test plans to be consistent with guidelines provided in National\nInstitute of Standards and Technology Special Publication 800-53a 5 and implemented effective\ncontrols to manage the contract supporting the Safeguards Program. However, we believe the\nother two areas, the use of POA&Ms and timeliness of reporting results, were only partially\ncorrected or not corrected at all and will continue to require management attention.\nWhile the Safeguards Program implemented the use of POA&Ms to track security weaknesses, it\ndid not monitor the targeted due dates of the recorded weaknesses in the POA&Ms to ensure that\ncorrective actions were implemented in a timely manner. We identified 45 State Government\nagencies in the IRS POA&M tool having 1,094 security weaknesses that had not been corrected\nby the targeted milestone dates. These weaknesses included instances where access controls and\naudit trails had not been implemented effectively. The Safeguards Program conducted only a\nlimited review of the information provided by the State agencies in their annual reports to\nvalidate that the corrective actions taken were appropriate and implemented. As such, we\nbelieve the IRS Safeguards Program is not proactively monitoring the progress of corrective\nactions or validating the closure of corrective actions identified during safeguard reviews of State\nagencies and their contractors.\n\n\n2\n  The IRS conducts safeguard reviews to evaluate State Government agencies\xe2\x80\x99 compliance with security procedures.\nThese reviews generally follow test plans that contain security requirements.\n3\n  The purpose of a POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress\nof corrective efforts for security weaknesses found in programs and systems.\n4\n  Tax Information Security Guidelines for Federal, State, and Local Agencies and Entities, dated October 2007,\nprovides guidance to States regarding the policies and procedures necessary to adequately protect Federal tax\ninformation.\n5\n  Guide for Assessing the Security Controls in Federal Information Systems, dated July 2008, provides guidelines for\nbuilding security assessment plans and comprehensive procedures for assessing the effectiveness of security controls\nemployed in information systems in the Federal Government.\n                                                                                                                  2\n\x0c                      While Effective Actions Have Been Taken to Address\n                      Previously Reported Weaknesses in the Protection of\n                     Federal Tax Information at State Government Agencies,\n                              Additional Improvements Are Needed\n\n\nIn addition, we determined that safeguard review reports continue to be issued in an untimely\nmanner. For safeguard reviews conducted in Fiscal Year 2008, the Safeguards Program issued\n66 of 78 draft reports in an average of 106 calendar days after the closing conferences. As of\nJune 30, 2009, the remaining 12 draft reports for Fiscal Year 2008 had not yet been issued to the\nrecipient agencies and their contractors. These reports averaged 354 calendar days past the\nclosing conference dates.\n\nRecommendations\nWe recommended that the Director, Safeguards, Small Business/Self-Employed Division,\n1) revise existing policies, as necessary, to require State agencies and their contractors to provide\nsufficient documentation on a more frequent basis to support that corrective actions were taken\nto address reported computer security weaknesses, 2) complete planned personnel actions so that\nadequate staffing is available to proactively monitor and validate the corrective security actions\ntaken by State agencies and their contractors, and 3) continue to use the recently implemented\nmonitoring tool and complete the training of new staff to increase the efficiency of the reporting\nprocess.\n\nResponse\nIRS management agreed with our recommendations. Publication 1075 will be revised to require\nthe State Government agencies to report the status of their actions to address outstanding\nfindings on a semiannual basis and provide documentary verification when closing high-priority\nfindings. In addition, a recruitment action to staff a full-time position dedicated to the\nmonitoring of corrective actions taken by State agencies and their contractors will be completed.\nLastly, the Office of Safeguards will continue to utilize the inventory monitoring tool and\ncomplete the training of new staff.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\nAssistant Inspector General for Audit (Security and Information Technology Services), at\n(202) 622-8510.\n\n\n\n\n                                                                                                    3\n\x0c                             While Effective Actions Have Been Taken to Address\n                             Previously Reported Weaknesses in the Protection of\n                            Federal Tax Information at State Government Agencies,\n                                     Additional Improvements Are Needed\n\n\n\n\n                                           Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Safeguards Program Has Corrected Prior Weaknesses on\n          Its Test Plans and Contract Oversight...........................................................Page 3\n          The Safeguards Program Was Not Adequately Monitoring and\n          Verifying Whether State Government Agencies Are Implementing\n          Corrective Actions on Identified Computer Security Weaknesses...............Page 4\n                    Recommendation 1:..........................................................Page 5\n\n                    Recommendation 2:..........................................................Page 6\n\n          The Results of Safeguard Reviews of State Government Agencies\n          Continue to Be Reported in an Untimely Manner ........................................Page 6\n                    Recommendation 3:..........................................................Page 7\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 8\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 10\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 11\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 12\n\x0c         While Effective Actions Have Been Taken to Address\n         Previously Reported Weaknesses in the Protection of\n        Federal Tax Information at State Government Agencies,\n                 Additional Improvements Are Needed\n\n\n\n\n                   Abbreviations\n\nIRS          Internal Revenue Service\nNIST         National Institute of Standards and Technology\nPOA&M        Plan of Actions and Milestones\n\x0c                         While Effective Actions Have Been Taken to Address\n                         Previously Reported Weaknesses in the Protection of\n                        Federal Tax Information at State Government Agencies,\n                                 Additional Improvements Are Needed\n\n\n\n\n                                           Background\n\nThe Internal Revenue Code 1 authorizes the Internal Revenue Service (IRS) to disclose Federal\ntax information to various State Government agencies for the purpose of tax administration. For\nexample, State tax agencies can use Federal tax information to identify individuals who have not\nfiled State tax returns, determine whether discrepancies exist in the reporting of income, locate\ndelinquent taxpayers, and determine whether IRS adjustments have State tax implications.\nDue to Federal Government requirements to protect tax information and the concerns over the\npotential misuse of unprotected data for identity theft, State Government agencies are required to\nhave adequate controls in place to prevent unauthorized disclosures. Tax Information Security\nGuidelines for Federal, State, and Local Agencies and Entities (IRS Publication 1075, dated\nOctober 2007) provides guidance to State agencies regarding the policies and procedures\nnecessary to adequately protect Federal tax information. Before a State agency receives Federal\ntax information, it must submit a formal report that describes how it will protect and safeguard\nthe tax information. In addition, State agencies that receive Federal tax information are required\nto file an annual report to describe any changes to their safeguard procedures, advise the IRS of\nfuture actions that will affect safeguard procedures, and certify that they are protecting the data.\nThe Safeguards Program within the Communications, Liaison, and Disclosure organization of\nthe IRS Small Business/Self-Employed Division is responsible for managing and providing\noversight to State Government agencies receiving Federal tax information. To ensure the\ninformation is adequately protected, the Safeguards Program is responsible for conducting\nsafeguard reviews 2 at least once every 3 years of each State agency receiving Federal tax\ninformation and is responsible for evaluating the State agencies\xe2\x80\x99 compliance with security\nprocedures. During its onsite reviews, the Safeguards Program uses test plans that address the\nsecurity requirements for State agencies processing and storing Federal tax information on\ndifferent computing platforms, including Windows, UNIX, and IBM mainframe computers.\nIn February 2003, we issued a report 3 which concluded that Federal tax information was at risk\nwhile in the possession of State Government tax agencies. In September 2005, we issued a\nfollowup report 4 that raised specific concerns regarding the physical security, user account\n\n1\n  Internal Revenue Code Section 6103 (2008).\n2\n  The IRS conducts safeguard reviews to evaluate State Government agencies\xe2\x80\x99 compliance with security procedures.\nThese reviews generally follow test plans that contain security requirements.\n3\n  Computer Security Weaknesses at State Agencies Put Federal Tax Information at Risk (Reference\nNumber 2003-20-064, dated February 21, 2003).\n4\n  Increased IRS Oversight of State Agencies Is Needed to Ensure Federal Tax Information Is Protected (Reference\nNumber 2005-20-184, dated September 30, 2005).\n                                                                                                        Page 1\n\x0c                         While Effective Actions Have Been Taken to Address\n                         Previously Reported Weaknesses in the Protection of\n                        Federal Tax Information at State Government Agencies,\n                                 Additional Improvements Are Needed\n\n\n\nmanagement, access controls, audit trails, intrusion detection, and firewall systems at all four\nState agencies we visited. These weaknesses placed Federal tax information at increased risk of\nunauthorized use or theft.\nIn August 2007, we conducted another followup review 5 and reported significant weaknesses in\nthe management of the IRS Safeguards Program. Specifically, we reported that 1) test plans\nused to conduct safeguard reviews were not consistent with Federal guidance provided by the\nNational Institute of Standards and Technology (NIST) Special Publication 800-53a, 6\n2) corrective actions stemming from safeguard reviews were not monitored, 3) results of\nsafeguard reviews were not provided to State Government agencies in a timely manner, and\n4) contractor performance and billing were not adequately managed and verified.\nThis review was performed at the Small Business/Self-Employed Division Safeguards Program\noffice in the IRS Headquarters in Washington, D.C., during the period March through\nAugust 2009. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n5\n  Insufficient Attention Has Been Given to Ensure States Protect Taxpayer Information (Reference\nNumber 2007-20-134, dated August 31, 2007).\n6\n  Guide for Assessing the Security Controls in Federal Information Systems, dated July 2008, provides guidelines for\nbuilding security assessment plans and comprehensive procedures for assessing the effectiveness of security controls\nemployed in information systems in the Federal Government.\n                                                                                                            Page 2\n\x0c                         While Effective Actions Have Been Taken to Address\n                         Previously Reported Weaknesses in the Protection of\n                        Federal Tax Information at State Government Agencies,\n                                 Additional Improvements Are Needed\n\n\n\n\n                                      Results of Review\n\nDuring our August 2007 review, we reported significant weaknesses in the management of the\nIRS Safeguards Program. Specifically, we identified four key areas needing management\nattention.\n    1. To be consistent with Federal Government computer security guidance found in NIST\n       Special Publication 800-53a, management needed to revise its test plans used during its\n       onsite reviews of State agencies.\n    2. To increase its management oversight of the contract supporting the Safeguards Program,\n       management needed to clearly define task orders, 7 staff hours, and contractor\n       deliverables, as well as closely monitor contractor billings.\n    3. To monitor and validate State Governments\xe2\x80\x99 corrective actions of reported computer\n       security weaknesses, management needed to develop and implement a Plan of Actions\n       and Milestones (POA&M) 8 process.\n    4. To comply with the 45-day reporting time period, management needed to improve its\n       timeliness of reporting the results of its reviews to State Government agencies.\nIn July 2007, the Safeguards Program was moved from the Modernization and Information\nTechnology Services Cybersecurity organization to the Small Business/Self-Employed Division.\nThe new management staff took immediate actions to address these weaknesses. In our current\nreview, we noted improvements in the first two areas. IRS Publication 1075 and the test plans\nhave been revised to be consistent with Federal guidelines, and effective controls have been\nimplemented to manage the contract supporting the Safeguards Program. However, we believe\nthe other two areas, the use of POA&Ms and the timeliness of reporting results, were only\npartially corrected or not corrected at all and will continue to require management attention.\n\nThe Safeguards Program Has Corrected Prior Weaknesses on Its Test\nPlans and Contract Oversight\nDuring our 2007 review, we determined that test plans the Safeguards Program management\napproved for use during its computer security onsite reviews of State Government agencies had\nnot been updated to include many of the control areas described in NIST Special\n\n7\n A task order is an order for services placed against an established contract.\n8\n The purpose of a POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress\nof corrective efforts for security weaknesses found in programs and systems.\n                                                                                                            Page 3\n\x0c\x0c                      While Effective Actions Have Been Taken to Address\n                      Previously Reported Weaknesses in the Protection of\n                     Federal Tax Information at State Government Agencies,\n                              Additional Improvements Are Needed\n\n\n\nProgram POA&M management tool, and receives annual updates from the agencies explaining\nwhat corrective actions they have taken.\nHowever, the Safeguards Program does not monitor the targeted due dates of the recorded\nweaknesses to ensure that corrective actions are implemented in a timely manner. We identified\n45 State agencies in the IRS POA&M tool having 1,094 security weaknesses that had not been\ncorrected by the targeted milestone dates. These weaknesses included instances where access\ncontrols and audit trails had not been implemented effectively. The Safeguards Program\nconducts only a limited review of the information provided by the State agencies in their annual\nreports to validate that corrective actions taken were appropriate and implemented. Therefore,\nwe believe the Safeguards Program is not proactively monitoring the progress of corrective\nactions or validating the closure of corrective actions identified during safeguard reviews of State\nagencies and their contractors.\nFor its monitoring efforts, the Safeguards Program places the burden for monitoring corrective\nactions on the State agencies and their contractors that receive Federal tax information. As for\nvalidating closure of corrective actions, the Safeguards Program POA&M methodology does not\ninclude the validation of corrective actions prior to their closure on the POA&M. When we\npresented our concerns over this issue, Safeguards Program management informed us that they\nhad planned to revise IRS Publication 1075 to increase the frequency of POA&M reporting by\nState agencies. However, the specifics of the time periods or format for the new reporting\nrequirements have not been defined. Safeguards Program management also explained that they\ndo not currently have the staff needed to proactively monitor the POA&Ms. Management plans\nto fill a staff position that would be dedicated to proactively managing the corrective actions in\nthe POA&M tool.\nGiven limited oversight by the Safeguards Program, State Government agencies and their\ncontractors might not take appropriate corrective actions within a reasonable time period to\ncorrect security weaknesses identified in safeguard reviews. Inaction or inappropriate actions by\nState agencies and their contractors increase the risk that Federal tax information might not be\nadequately protected and might be inappropriately accessed or used, possibly for fraudulent\npurposes such as identity theft.\n\nRecommendations\nThe Director, Safeguards, should:\nRecommendation 1: Revise existing policies, as necessary, to require State agencies and\ntheir contractors to provide sufficient documentation on a more frequent basis to support that\ncorrective security actions were taken to address reported computer security weaknesses.\n\n\n\n                                                                                             Page 5\n\x0c                      While Effective Actions Have Been Taken to Address\n                      Previously Reported Weaknesses in the Protection of\n                     Federal Tax Information at State Government Agencies,\n                              Additional Improvements Are Needed\n\n\n\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n       Revisions to IRS Publication 1075 will require agencies to 1) report the status of their\n       actions to address outstanding findings on a semiannual basis and 2) provide\n       documentary verification when closing high-priority findings.\nRecommendation 2: Complete planned personnel actions so that adequate staffing is\navailable to proactively monitor and validate the corrective security actions taken by State\nagencies and their contractors.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. A\n       recruitment action has been initiated to staff a full-time position dedicated to the\n       monitoring of corrective actions taken by the State agencies and their contractors.\n\nThe Results of Safeguard Reviews of State Government Agencies\nContinue to Be Reported in an Untimely Manner\nIRS procedures state that safeguard review reports should be provided to the State agency and/or\nto its contractors promptly after the conclusion of the onsite portion of the review to convey the\nIRS\xe2\x80\x99 commitment to ensuring the confidentiality of the Federal tax information and return\ninformation. The interim safeguard review reports should be issued within 45 calendar days\nafter the closing conference.\nDuring our 2007 review, we reported that the Safeguards Program issued safeguard reports\nduring Fiscal Years 2006 and 2007 in an average of 81 calendar days after completion of onsite\nreviews. We attributed the late issuance of reports to a lack of management attention to the\nprocess.\nIn this review, we determined that the IRS has increased its management attention to the\nreporting process. Safeguards Program management provided us with the spreadsheet tool they\nuse to monitor the status of reports. In the prior audit, management did not use similar\nmonitoring tools.\nWhile management attention has increased, reports still continue to be issued in an untimely\nmanner. For safeguard reviews conducted in Fiscal Year 2008, the Safeguards Program issued\n66 of 78 draft reports in an average of 106 calendar days after the closing conferences. As of\nJune 30, 2009, the remaining 12 draft reports for Fiscal Year 2008 had not been issued to the\nrecipient agencies and their contractors and averaged 354 calendar days after the closing\nconference dates. With these delays, security weaknesses identified in safeguard reviews might\nnot be addressed for months after the reviews, increasing the risk that Federal tax information\nmight not be adequately protected and, therefore, could be inappropriately accessed or used.\nWe believe the most significant cause for the delays in reporting was a turnover in staff in the\nSafeguards Program. At the end of Fiscal Year 2008, two experienced staff employees retired\n\n                                                                                               Page 6\n\x0c                     While Effective Actions Have Been Taken to Address\n                     Previously Reported Weaknesses in the Protection of\n                    Federal Tax Information at State Government Agencies,\n                             Additional Improvements Are Needed\n\n\n\nand three new employees were hired. The new hires have devoted considerable time to\ncompleting the training program established by the Safeguards Program. Safeguards Program\nmanagement believes that once the new hires are trained, and they are available to devote their\nfull attention to the review process, the timeliness issue will improve.\n\nRecommendation\nThe Director, Safeguards, should:\nRecommendation 3: Continue to use the recently implemented monitoring tool and complete\nthe training of new staff to increase the efficiency of the reporting process.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n       They will continue to utilize the inventory monitoring tool, focus on improving the timely\n       issuance of reports, and complete the training of new employees.\n\n\n\n\n                                                                                           Page 7\n\x0c                         While Effective Actions Have Been Taken to Address\n                         Previously Reported Weaknesses in the Protection of\n                        Federal Tax Information at State Government Agencies,\n                                 Additional Improvements Are Needed\n\n\n\n                                                                                                  Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to follow up on a prior audit report 1 and determine\nwhether the IRS Safeguards Program has implemented sufficient policies and procedures to\nensure that State Government agencies are adequately protecting Federal tax information\nreceived from the IRS. To accomplish our objective, we:\nI.      Determined whether test plans used to conduct safeguard reviews are consistent with\n        applicable guidance, including IRS Publication 1075 2 and NIST Special\n        Publication 800-53a. 3\n        A. Reviewed all 13 test plans being used during safeguard reviews. 4\n        B. Compared test plans with IRS Publication 1075 and NIST Special\n           Publication 800-53a.\n        C. Discussed any discrepancies noted in Step I.B. with Safeguards Program management\n           to determine reasons for variances in the documents.\nII.     Determined whether a sound oversight program has been implemented to conduct\n        safeguard reviews, identify weaknesses and corrective actions, and monitor corrective\n        actions to completion.\n        A. Reviewed milestone information for safeguard reviews to determine whether:\n             1. Reviews are started as scheduled.\n             2. Reviews are completed in a timely manner.\n             3. Results are provided to State agencies in a timely manner.\n\n\n\n1\n  Insufficient Attention Has Been Given to Ensure States Protect Taxpayer Information (Reference\nNumber 2007-20-134, dated August 31, 2007).\n2\n  Tax Information Security Guidelines for Federal, State, and Local Agencies and Entities, dated October 2007,\nprovides guidance to States regarding the policies and procedures necessary to adequately protect Federal tax\ninformation.\n3\n  Guide for Assessing the Security Controls in Federal Information Systems, dated July 2008, provides guidelines for\nbuilding security assessment plans and comprehensive procedures for assessing the effectiveness of security controls\nemployed in information systems in the Federal Government.\n4\n  The IRS conducts safeguard reviews to evaluate State Government agencies\xe2\x80\x99 compliance with security procedures.\nThese reviews generally follow test plans that contain security requirements.\n                                                                                                            Page 8\n\x0c                         While Effective Actions Have Been Taken to Address\n                         Previously Reported Weaknesses in the Protection of\n                        Federal Tax Information at State Government Agencies,\n                                 Additional Improvements Are Needed\n\n\n\n        B. Determined whether the Safeguard Program is:\n             1. Tracking weaknesses and corrective actions resulting from safeguard reviews\n                using a POA&M 5 process.\n             2. Closely monitoring the POA&Ms to ensure that corrective actions are\n                implemented.\n             3. Properly validating corrective actions prior to closing them out on the POA&Ms.\n        C. Discussed any issues identified from audit Steps II.A. and II.B. with Safeguards\n           Program management to determine why issues exist.\n        D. Assessed the effect of any weaknesses identified during completion of audit\n           Steps II.A. and II.B.\nIII.    Determined whether contractor support for the Safeguards Program is adequately\n        managed.\n        A. Determined whether work requests are written for each task and clearly define the\n           work to be performed as outlined in the Statement of Work (including skill categories\n           and estimated hours per category; required products, due dates, and specific\n           acceptance criteria; performance sites; and any Government-furnished equipment\n           needed by the contractor).\n        B. Determine whether work requests are reviewed and approved by IRS management.\n        C. Discussed the contractor oversight process with Safeguards Program management,\n           reviewed evidence that contractor performance is being reviewed on a regular basis,\n           and determined whether the review process appears effective.\n        D. Reviewed contractor invoices and documentation to determine whether they are\n           adequately reviewed prior to approval by IRS management.\n        E. Discussed any issues identified from audit Steps III.A. through III.D. with Safeguards\n           Program management to determine why the issues exist.\n        F. Assessed the effect of weaknesses identified during completion of audit Steps III.A.\n           through III.D.\n\n\n\n\n5\n The purpose of a POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress\nof corrective efforts for security weaknesses found in programs and systems.\n                                                                                                            Page 9\n\x0c                     While Effective Actions Have Been Taken to Address\n                     Previously Reported Weaknesses in the Protection of\n                    Federal Tax Information at State Government Agencies,\n                             Additional Improvements Are Needed\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services)\nKent Sagara, Acting Director\nCarol Taylor, Audit Manager\nMyron Gulley, Senior Auditor\nLouis Lee, Senior Auditor\nMonique Queen, Information Technology Specialist\n\n\n\n\n                                                                                       Page 10\n\x0c                    While Effective Actions Have Been Taken to Address\n                    Previously Reported Weaknesses in the Protection of\n                   Federal Tax Information at State Government Agencies,\n                            Additional Improvements Are Needed\n\n\n\n                                                                            Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Services and Enforcement SE\nDeputy Commissioner, Small Business/Self-Employed Division SE:S\nDirector, Communications, Liaison, and Disclosure, Small Business/Self-Employed Division\n   SE:S:CLD\nDirector, Safeguards, Small Business/Self-Employed Division SE:S:CLD:S\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Commissioner, Small Business/Self-Employed Division SE:S\n\n\n\n\n                                                                                    Page 11\n\x0c       While Effective Actions Have Been Taken to Address\n       Previously Reported Weaknesses in the Protection of\n      Federal Tax Information at State Government Agencies,\n               Additional Improvements Are Needed\n\n\n\n                                                   Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 12\n\x0c While Effective Actions Have Been Taken to Address\n Previously Reported Weaknesses in the Protection of\nFederal Tax Information at State Government Agencies,\n         Additional Improvements Are Needed\n\n\n\n\n                                                   Page 13\n\x0c While Effective Actions Have Been Taken to Address\n Previously Reported Weaknesses in the Protection of\nFederal Tax Information at State Government Agencies,\n         Additional Improvements Are Needed\n\n\n\n\n                                                   Page 14\n\x0c'